The long, solder-heavy way to get root access to a Starlink terminal
Enlarge / Nobody said getting root access to space was going to be easy. (credit: KU Leuven)
Getting root access inside one of Starlink's dishes requires a few things that are hard to come by: a deep understanding of board circuitry, eMMC dumping hardware and skills, bootloader software understanding, and a custom PCB board. But researchers have proven it can be done.
In their talk "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal," researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink User Terminal (i.e., a dish board) using a custom-built modchip through a voltage fault injection. The talk took place in August, but the researchers' slides and repository have recently made the rounds.
Lennert Wouters of KU Leuven presenting the group's Starlink findings at DEF CON 30.
There's no immediate threat, and the vulnerability is both disclosed and limited. While bypassing signature verification allowed the researchers to "further explore the Starlink User Terminal and networking side of the system," slides from the Black Hat talk note that Starlink is "a well-designed product (from a security standpoint)." Getting a root shell was challenging, and doing so didn't open up obvious lateral movement or escalation. But updating firmware and repurposing Starlink dishes for other purposes? Perhaps.